Application security is hard. Finding the right people to perform application security work and manage the program is even harder. The application security space has twice as many job openings as candidates. Combined that with the fact that for every 200 software engineers there is only 1 security professional, how do we staff a secure software group and integrate software security across an organization?
There are many approaches for solving this problem being used across the various industry verticals. Most include hiring expensive consultants or conducting long job searches for candidates that rarely exist. Coming from a software development background personally and working with software engineers in various training / consulting engagements across the world has led me to this: capable software security engineers are already working on your engineering teams. Management just needs to put a program in place to educate, empower, and build strong application security champions.
Over the years, I've had this conversation with several folks from many different organizations. With many having the same questions and looking for guidance, it became clear to me that this topic would make a great talk.
I had the privilege of presenting the "Taking Control of Your Application Security" talk during an evening session at SANS Orlando 2017 last week. Of course, we had a little fun with a case study and discussed some actionable takeaways for building a culture of secure software engineering. But, most importantly I walked the audience through my journey as a software engineer to an application security consultant.
A number of attendees have asked for a copy of the slides, which can be found here: Taking Control of Your Application Security
For more information on application security training, check out the following resources:
In-Depth Online / Classroom Training: SANS Application Security Curriculum
Developer Security Awareness Training: STH.Developer Training
Eric Johnson is a Principal Security Consultant at Cypress Data Defense. At Cypress, he leads web and mobile application penetration testing, secure development lifecycle consulting, secure code review assessments, static source code analysis, security research, and security tool development. Eric has presented his security research at conferences around the world including SANS, BlackHat, OWASP AppSecUSA, BSides, JavaOne, UberConf, and ISSA. He has contributed to several open source projects including Puma Scan, AWS Critical Security Control Automation, and the OWASP Secure Headers project. Eric is also a Certified Instructor with the SANS Institute where he authors several application security courses, serves on the advisory board for the SANS Securing the Human Developer awareness training program, and delivers security training around the world. Eric completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications.